Privacy

France spanks Google $170M, Facebook $68M over cookie consent dark patterns

Comment

Image Credits: Bryce Durbin / TechCrunch

Chalk another one up for decentralized enforcement: France’s data protection watchdog has slapped headline-grabbing fines on Facebook and Google for failing to respect local (and pan-EU) cookie consent rules.

Today, the CNIL said it’s fined Google €150M (~$170M) and Facebook €60M (~$68M) for breaching French law, following investigations of how they present tracking choices to users of google.fr, youtube.com and facebook.com.

The regulator said it was acting after receiving a number of complaints.

In a clear breach of EU and French law, it found the pair do not offer an option for users to reject non-essential cookies as easily as the option they offer for them to accept all tracking.

So, in short, the tech giants were using manipulative dark patterns to try to force consent.

Here’s an illustrative snippet from the CNIL’s press release:

” … the information given by the company is not clear since, in order to refuse the deposit of cookies, Internet users must click on a button entitled “Accept cookies”, displayed in the second window. It considered that such a title necessarily generates confusion and that the user may have the feeling that it is not possible to refuse the deposit of cookies and that they have no way to manage it.

The restricted committee judged that the methods of collecting consent proposed to users, as well as the lack of clarity of information provided to them, constitute violations of Article 82 of the French Data Protection Act.”

Under EU law, if consent is the legal basis being claimed for processing people’s data there are strict standards that must be adhered to — consent must be informed, specific and freely given in order for it to be obtained legally.

Long running complaints against Facebook and Google over similarly problematic consent issues continue to languish on the desk of the Irish Data Protection Commission (DPC), meanwhile — which under the EU’s General Data Protection Regulation (GDPR)’s one-stop-shop (OSS) mechanism is a quasi centralized enforcer for most of big tech.

The DPC has been accused of dragging its feet on GDPR oversight of tech giants and creating a bottleneck for effective enforcement of the regulation, as the OSS encourages forum shopping — and Ireland’s low corporate tax economy appears only too happy to oblige client corporates with low resolution regulatory oversight too.

Notably, the CNIL is taking action against Facebook and Google under an earlier piece of EU legislation — the ePrivacy Directive — which gives competence to national agencies in their own territories. So the French continue to find creative ways to apply GDPR data protection standards nationally, despite the OSS and Irish GDPR blockage.

There’s a particular irony here, in that Google and Facebook involved themselves in regional lobbying efforts to delay a planned update to the ePrivacy Directive — which would have replaced it with a regulation, as we’ve reported before.

Digging into Google’s push to freeze ePrivacy

The ePrivacy Regulation still hasn’t been adopted — despite being proposed back in 2017! Which creates inconsistencies between EU law. But does also leaves Member State-level regulators such as CNIL free to enforce ePrivacy rules within their own jurisdictions, retaining decentralized power to sanction big tech on its home turf under the ePrivacy Directive. So, er, oopsy! That’s turned into a fairly expensive mistake for Facebook and Google in France at least.

France’s regulator has been especially busy on this front — fining Google €100M back in December 2020 for dropping tracking cookies without consent. At the same time it also stung Amazon €35M over the same issue.

Earlier, the CNIL even managed to get an early GDPR fine in against Google — all the way back in 2019 — before the company realized its legal exposure and switched the legal entity handling EU users’ data from the US to Ireland so that its regional business would fall under the DPC’s ‘less muscular’ oversight.

To date, Google has not faced a single sanction under GDPR out of Ireland — despite a number of very substantial and very long running complaints filed against it, including over forced consent; its handling of location data; and its adtech.

Complaints are not only continuing to stack up against tech giants over systemic breaches of EU data protection law and against the DPC for its embarrassingly thin record on enforcement — and even for alleged corruption, in a more recent charge against Ireland — but also against the European Commission itself which stands accused of failing in its duty to monitor GDPR enforcement at a Member State level.

The Commission did intervene verbally late last year — with a direct warning to data protection agencies that GPDR enforcement must become “effective” fast or else it suggested DPAs would face having such power taken out of their hands — in favor of centralized enforcement by the EU executive.

At the same time, Google and Facebook were also blasted by the Commission which accused adtech giants of choosing legal tricks over genuine compliance with the bloc’s privacy standards, with commissioner Vera Jourová warning: “It is high time for those companies to take protection of personal data seriously. I want to see full compliance, not legal tricks. It’s time not to hide behind small print, but tackle the challenges head on.”

But despite firing a few pot-shots, the Commission appears reluctant to actually step in and sanction Ireland, though. So it’s been left to Member States like France to make the point in another way — i.e. by having its agencies illustrate that enforcement is not only possible but happening.

(See also: France’s competition watchdog taking tough action against Google, for example.)

Google fined $592M in France for breaching antitrust order to negotiate copyright fees for news snippets

In addition to today’s headline-grabbing fines, the CNIL has ordered Facebook and Google to change how they present cookie choices to users in France — giving the pair three months to provide local users with a means of refusing cookies that’s as simple as the existing means of accepting them — “in order to guarantee their freedom of consent”.

Failure to comply with the order will mean the companies face further penalties — of €100,000 per day of delay.

The CNIL has been focusing its oversight on cookie consents for some time.

The regulator set a deadline of March 31, 2021 for websites to comply with updated cookie guidance which it published back in October 2020. And, since the end of March, says it has adopted nearly 100 “corrective measures” (aka, orders and sanctions) related to non-compliance with the legislation on cookies.

Ireland also published updated cookie guidance, back in April 2020 — when it said it would give websites and data controllers six months to come into compliance before taking any enforcement action.

However the DPC has once again shown itself to be all mouth and no trousers: Failing to issue any public sanctions in relation to cookie consent violations against commercial entities (and certainly nothing against Facebook or Google on this front).

A DPC decision against Facebook-owned WhatsApp that was issued late last year focused on transparency breaches.

The size of that eventual penalty for WhatsApp — $267M — was also substantially inflated after interventions by other EU DPAs and the European Data Protection Board; Ireland’s draft decision had only suggested a fine of up to €50M. Facebook, meanwhile, is seeking to evade the sanction by appealing against it.)

Reached for comment on the CNIL’s spank for disingenuous cookie consents, a Meta/Facebook spokesperson said:

“​​We are reviewing the authority’s decision and remain committed to working with relevant authorities. Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”

The tech giant also pointed to an announcement it made in September last year about an update to its local “cookie controls” — when it said it would be giving people in Europe “a more granular level of control over their cookie choices and more information on what we use different kinds of cookies for, including what information we receive from other apps and websites”.

“This work is part of our ongoing efforts to give people greater control over their privacy and align with evolving privacy requirements, such as the General Data Protection Regulations (GDPR) and the ePrivacy Directive (ePD),” it added at the time.

Whatever the specific fiddles Facebook made back then the changes don’t seem to have impressed the French.

At the time of writing Google had not responded to a request for comment on CNIL’s sanction but we’ll update this report if we get one.

Update: A Google spokesperson said:

“People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive.”

Europe’s cookie consent reckoning is coming

EU warns adtech giants over ‘legal tricks’ as it moots changes to centralize privacy oversight

Facebook’s lead EU privacy supervisor hit with corruption complaint

More TechCrunch

The U.K.’s self-proclaimed “world-leading” regulations for self-driving cars are now official, after the Automated Vehicles (AV) Act received royal assent — the final rubber stamp any legislation must go through…

UK’s autonomous vehicle legislation becomes law, paving the way for first driverless cars by 2026

ChatGPT, OpenAI’s text-generating AI chatbot, has taken the world by storm. What started as a tool to hyper-charge productivity through writing essays and code with short text prompts has evolved…

ChatGPT: Everything you need to know about the AI-powered chatbot

SoLo Funds CEO Travis Holoway: “Regulators seem driven by press releases when they should be motivated by true consumer protection and empowering equitable solutions.”

Fintech lender Solo Funds is being sued again by the government over its lending practices

Hard tech startups generate a lot of buzz, but there’s a growing cohort of companies building digital tools squarely focused on making hard tech development faster, more efficient, and —…

Rollup wants to be the hardware engineer’s workhorse

TechCrunch Disrupt 2024 is not just about groundbreaking innovations, insightful panels, and visionary speakers — it’s also about listening to YOU, the audience, and what you feel is top of…

Disrupt Audience Choice vote closes Friday

Google says the new SDK would help Google expand on its core mission of connecting the right audience to the right content at the right time.

Google is launching a new Android feature to drive users back into their installed apps

Jolla has taken the official wraps off the first version of its personal server-based AI assistant in the making. The reborn startup is building a privacy-focused AI device — aka…

Jolla debuts privacy-focused AI hardware

OpenAI is removing one of the voices used by ChatGPT after users found that it sounded similar to Scarlett Johansson, the company announced on Monday. The voice, called Sky, is…

OpenAI to remove ChatGPT’s Scarlett Johansson-like voice

The ChatGPT mobile app’s net revenue first jumped 22% on the day of the GPT-4o launch and continued to grow in the following days.

ChatGPT’s mobile app revenue saw its biggest spike yet following GPT-4o launch

Dating app maker Bumble has acquired Geneva, an online platform built around forming real-world groups and clubs. The company said that the deal is designed to help it expand its…

Bumble buys community building app Geneva to expand further into friendships

CyberArk — one of the army of larger security companies founded out of Israel — is acquiring Venafi, a specialist in machine identity, for $1.54 billion. 

CyberArk snaps up Venafi for $1.54B to ramp up in machine-to-machine security

Founder-market fit is one of the most crucial factors in a startup’s success, and operators (someone involved in the day-to-day operations of a startup) turned founders have an almost unfair advantage…

OpenseedVC, which backs operators in Africa and Europe starting their companies, reaches first close of $10M fund

A Singapore High Court has effectively approved Pine Labs’ request to shift its operations to India.

Pine Labs gets Singapore court approval to shift base to India

The AI Safety Institute, a U.K. body that aims to assess and address risks in AI platforms, has said it will open a second location in San Francisco. 

UK opens office in San Francisco to tackle AI risk

Companies are always looking for an edge, and searching for ways to encourage their employees to innovate. One way to do that is by running an internal hackathon around a…

Why companies are turning to internal hackathons

Featured Article

I’m rooting for Melinda French Gates to fix tech’s broken ‘brilliant jerk’ culture

Women in tech still face a shocking level of mistreatment at work. Melinda French Gates is one of the few working to change that.

1 day ago
I’m rooting for Melinda French Gates to fix tech’s  broken ‘brilliant jerk’ culture

Blue Origin has successfully completed its NS-25 mission, resuming crewed flights for the first time in nearly two years. The mission brought six tourist crew members to the edge of…

Blue Origin successfully launches its first crewed mission since 2022

Creative Artists Agency (CAA), one of the top entertainment and sports talent agencies, is hoping to be at the forefront of AI protection services for celebrities in Hollywood. With many…

Hollywood agency CAA aims to help stars manage their own AI likenesses

Expedia says Rathi Murthy and Sreenivas Rachamadugu, respectively its CTO and senior vice president of core services product & engineering, are no longer employed at the travel booking company. In…

Expedia says two execs dismissed after ‘violation of company policy’

Welcome back to TechCrunch’s Week in Review. This week had two major events from OpenAI and Google. OpenAI’s spring update event saw the reveal of its new model, GPT-4o, which…

OpenAI and Google lay out their competing AI visions

When Jeffrey Wang posted to X asking if anyone wanted to go in on an order of fancy-but-affordable office nap pods, he didn’t expect the post to go viral.

With AI startups booming, nap pods and Silicon Valley hustle culture are back

OpenAI’s Superalignment team, responsible for developing ways to govern and steer “superintelligent” AI systems, was promised 20% of the company’s compute resources, according to a person from that team. But…

OpenAI created a team to control ‘superintelligent’ AI — then let it wither, source says

A new crop of early-stage startups — along with some recent VC investments — illustrates a niche emerging in the autonomous vehicle technology sector. Unlike the companies bringing robotaxis to…

VCs and the military are fueling self-driving startups that don’t need roads

When the founders of Sagetap, Sahil Khanna and Kevin Hughes, started working at early-stage enterprise software startups, they were surprised to find that the companies they worked at were trying…

Deal Dive: Sagetap looks to bring enterprise software sales into the 21st century

Keeping up with an industry as fast-moving as AI is a tall order. So until an AI can do it for you, here’s a handy roundup of recent stories in the world…

This Week in AI: OpenAI moves away from safety

After Apple loosened its App Store guidelines to permit game emulators, the retro game emulator Delta — an app 10 years in the making — hit the top of the…

Adobe comes after indie game emulator Delta for copying its logo

Meta is once again taking on its competitors by developing a feature that borrows concepts from others — in this case, BeReal and Snapchat. The company is developing a feature…

Meta’s latest experiment borrows from BeReal’s and Snapchat’s core ideas

Welcome to Startups Weekly! We’ve been drowning in AI news this week, with Google’s I/O setting the pace. And Elon Musk rages against the machine.

Startups Weekly: It’s the dawning of the age of AI — plus,  Musk is raging against the machine

IndieBio’s Bay Area incubator is about to debut its 15th cohort of biotech startups. We took special note of a few, which were making some major, bordering on ludicrous, claims…

IndieBio’s SF incubator lineup is making some wild biotech promises

YouTube TV has announced that its multiview feature for watching four streams at once is now available on Android phones and tablets. The Android launch comes two months after YouTube…

YouTube TV’s ‘multiview’ feature is now available on Android phones and tablets